Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenVPN 2.x TAP mini-HOWTO (linux 2 wifi-linux, wifi-xp)
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ponzio
n00b
n00b


Joined: 09 Mar 2005
Posts: 41

PostPosted: Fri Jun 10, 2005 10:40 am    Post subject: Reply with quote

now the client seems to be connected
Code:
Jun 10 12:44:02 ponzio openvpn-client[31114]: TLS: Initial packet from x.x.x.x:5000, sid=ae79a4ab 8cae93bd
Jun 10 12:44:03 ponzio openvpn-client[31114]: VERIFY OK: depth=1, /C=IT/ST=Italia/L=Milano/O=OpenVPN-test

but ifconfig does not show any tun/tap device.
on the server there is an error:
Code:
Jun 10 12:41:41 test openvpn-test[321]: x.x.x.x:24880 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=IT/ST=Italia/O=OpenVPN-test
Jun 10 12:41:41 test openvpn-test[321]: x.x.x.x:24880 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Mon Aug 29, 2005 8:25 pm    Post subject: Reply with quote

Just notice version 2.0.1 is in portage, the configuration should be the same for official 2.0.
Back to top
View user's profile Send private message
evol262
n00b
n00b


Joined: 10 May 2004
Posts: 25

PostPosted: Mon Sep 19, 2005 9:19 pm    Post subject: Reply with quote

Any way to allow multiple connections from the same IP? My OpenVPN server's behind a router (DMZed), and it works fine if I only have one external client. Any more than that and it chokes, forbidding new clients from connecting...

Edit: It seems to classify every connection coming from the same IP as the same client, regardless of how the keys and certs are setup. Duplicate-cn does not solve this. Do I just need to have only one client key? I don't like that... Doesn't seem to work either >.<. Any suggestions? From what I've seen, ccd can't do this, but I really need a way around it. It seems that all packets appear to be coming from my router, forbidding extra connections

Code:
Sep 19 16:28:28 server openvpn[27207]: client2/192.168.1.1:1194 TLS Error: Unroutable control packet received from 192.168.1.1:1194 (si=3 op=P_ACK_V1)
Sep 19 16:28:30 server openvpn[27207]: client2/192.168.1.1:1194 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #36 / time = (1127165452) Mon Sep 19 16:30:52 2005 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sep 19 16:28:30 server openvpn[27207]: client2/192.168.1.1:1194 TLS Error: incoming packet authentication failed from 192.168.1.1:1194
Sep 19 16:28:30 server openvpn[27207]: client2/192.168.1.1:1194 TLS Error: Unroutable control packet received from 192.168.1.1:1194 (si=3 op=P_ACK_V1)

When client 1 is also connected. If I connect client1 through the local network, I can connect client2 fine. I cannot get client2 and client3 to connect simulatenously (both external).

Sorry, that should read "client1/192.blah.blah" when client 1 is connected and client 2 is trying to connect through the same IP.
Back to top
View user's profile Send private message
evol262
n00b
n00b


Joined: 10 May 2004
Posts: 25

PostPosted: Fri Sep 30, 2005 12:44 pm    Post subject: Reply with quote

-bump-

Any suggestions? Is there a way to make OpenVPN look up NAT traversal?
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Sat Oct 15, 2005 1:12 pm    Post subject: Reply with quote

Updated troubleshooting section to include workaround for openvpn 2.0.2 init script problem. IMHO, init script should define the --cd option, it is way too restrictive especially for people with multiple vpn connections setup. The --cd option should be left to the configuation file instead.
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6835
Location: Blighty

PostPosted: Sun Oct 16, 2005 6:16 pm    Post subject: Reply with quote

cchee wrote:
Updated troubleshooting section to include workaround for openvpn 2.0.2 init script problem. IMHO, init script should define the --cd option, it is way too restrictive especially for people with multiple vpn connections setup. The --cd option should be left to the configuation file instead.

You mean that the init script should not define the --cd option?

AFAIK (and I may be wrong) but the --cd option changes the relative directory. This means that
Code:
ca cert.perm
relies on cert.pem existing in the /etc/openvpn directory
however
Code:
ca /etc/ssl/certs/cert.pem
always works regardless of the --cd option.

Could you explain how the init script setting the option make it more restrictive for multiple connections?
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
l0ner
n00b
n00b


Joined: 10 Jul 2004
Posts: 37
Location: Germany

PostPosted: Tue Oct 18, 2005 9:52 am    Post subject: Reply with quote

evol262 wrote:
-bump-

Any suggestions? Is there a way to make OpenVPN look up NAT traversal?


Why would you want to do that :?:
I use both site to site, and client/server versions and have never seen a need.
The beautiful thing about OpenVPN is that you need no NAT traversal support, not like IPSEC.
Perhaps there is a different way to solve whatever problem you are having.

-l0ner
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Tue Oct 18, 2005 5:12 pm    Post subject: Reply with quote

UberLord wrote:
cchee wrote:
Updated troubleshooting section to include workaround for openvpn 2.0.2 init script problem. IMHO, init script should define the --cd option, it is way too restrictive especially for people with multiple vpn connections setup. The --cd option should be left to the configuation file instead.

You mean that the init script should not define the --cd option?

AFAIK (and I may be wrong) but the --cd option changes the relative directory. This means that
Code:
ca cert.perm
relies on cert.pem existing in the /etc/openvpn directory
however
Code:
ca /etc/ssl/certs/cert.pem
always works regardless of the --cd option.

Could you explain how the init script setting the option make it more restrictive for multiple connections?


it makes the script only work with one VPN connection setup, i.e. the config file has to be openvpn.conf and it must be under /etc/openvpn. if I want to have multiple VPN connections to different "sites", the init script needs to be modded to fit that need. Or, as some of the developers already suggested in https://bugs.gentoo.org/show_bug.cgi?id=109363, duplicate the /etc/init.d/openvpn to /etc/init.d/openvpn.foo, /etc/init.d/openvpn.bar, etc... My personal preference is not multiple copies of /etc/init.d/openvpn and certificates all over the place in different directories (for the sake of keeping things tidy, I prefer to keep them in the single directory for each "set" of files [anyway this is just personal preference]) but have multiple copies of /etc/init.d/openvpn give us the ability to selectively start and stop specific VPN connection. In the bug note, there is a latest attachment for the modded openvpn init.d script. it looks into /etc/openvpn for *.conf and for each *.conf it will start and stop the openvpn connection. It relies on the individual config file to specify "directory" for files set relative to the corresponding VPN connection (i.e. cd option). IMHO, my preference may not fit your need, so it is really up to individual work habit.
Back to top
View user's profile Send private message
spunki
n00b
n00b


Joined: 02 Nov 2005
Posts: 2

PostPosted: Wed Nov 02, 2005 8:50 pm    Post subject: OpenVPN Reply with quote

how can i add push "ip route add default via 213.157.224.193 dev tap0" in config file local.conf
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Mon Nov 28, 2005 5:14 pm    Post subject: Re: OpenVPN Reply with quote

spunki wrote:
how can i add push "ip route add default via 213.157.224.193 dev tap0" in config file local.conf

Best source, as usual, is read the latest manual that matches the version you have installed.
Code:

ifconfig-pool 10.254.254.156 10.254.254.199 255.255.255.128
push "dhcp-renew"
push "dhcp-option DOMAIN domain.tld"
push "dhcp-option DNS 10.10.10.5"
push "dhcp-option DNS 10.10.10.9"
push "route-gateway 10.254.254.155"


First line, tells openvpn the range of IP addresses to be used for DHCP within the VPN segment.
Second line, tells openvpn to have "client" to renew it's DHCP
Last line, tells openvpn to have "client" to assign 10.254.254.155 as default gateway for all VPN traffic. Mind you you still need to have a rule in your default gateway/firewall on your remote network (server side) to tell other machines in the remote network (server side) which gateway to use for VPN traffic, in case you want to have the ability to remote access to other machines **directly** on the remote network via the VPN.

Hope this help.
Back to top
View user's profile Send private message
LL0rd
l33t
l33t


Joined: 24 May 2004
Posts: 652
Location: Schlundcity

PostPosted: Mon Dec 05, 2005 2:05 pm    Post subject: Reply with quote

Hi,

I had set up a openvpn server to secure my wlan network. Now I want to use the server to dialin into the LAN (windows xp notebook). That works allready, but: I'm student on a german university. There we have two ways to use the wlan:

1)
NIC ==> (Webauth) ==> Internet

2)
NIC ==> Cisco VPN client ==> VPN NIC ==> Internet

When i go the first way, I can connect to PCs that are in the VPN. But the whole Internet traffic is unencryped. When I go the second way, I can connect to the VPN Network. I also get the IP adress by the dhcp, but I can't connect to the PCs of the VPN network.

My idea is, that there is a wrong routing table. Can anybody help me?
_________________
Alte Mathematiker sterben nicht - sie verlieren nur einige ihrer Funktionen.
Back to top
View user's profile Send private message
d4h0od
Tux's lil' helper
Tux's lil' helper


Joined: 27 Jun 2002
Posts: 80
Location: Europe => Sweden => Blekinge => Karlskrona => h0odet

PostPosted: Sat Mar 25, 2006 9:35 pm    Post subject: confused OpenVPN beginner Reply with quote

first off thanx for a very good howto. Although it hasnt solved all my problems, it still guided me very far and i managed to setup a vpn-server & vpn-client and can ping both ways :)

I want to do the following,

i have a gentoo server back home with full access to internet (no firewalls etc) and i want to route all traffic from my client laptop (thats located behind a hotel firewall that i have no control over) through my gentoo-server and use that as a "proxy" for all my traffic, so i can freely connect to any service on any port.

And no its not to download warez/porn ;)
I'm just a poker-addict and playing at several different sites, but now that im away on a trip for several months im forced to sit behind a firewall that blocks most (if not all) ports that i need open to be able to continue playing :(

First of all is it possible for me to route all internet traffic from my hotel computer to my vpn-server and then out on internet? And will the fact that im recieving my client ip-address from the hotel fw via dhcp cause any problems?

Do i need 1 or 2 NIC's on the server and what configuration would i need to perform on the server?

So far i have maneged to setup a vpn-server on the gentoo-server and connecting to it with my laptop (winxp) using ssl certificates so those parts work ok.

This is my lame attemtp to try and illustrate my idea

Code:

---------------           ---------------          ------------          -----------------
| Client      | <<RESP<<  | Hotel FW    | <<RESP<< | Internet | <<RESP<< | Gentoo server |
|             |           |             |          |          |          |               |
| 192.168.3.x | >>REQ>>   | 192.168.3.x | >>REQ>>  |          | >>REQ>>  | 194.10.180.x  |
---------------           ---------------          ------------          -----------------
                                                     |v    ^^                v|    ^^
                                                     Rv    R^                vR    ^|
                                                     Ev    E^                vE    ^R
                                                     Sv    Q^                vQ    ^E
                                                     Pv    |^<<<<<<<<<<<<<<<<<|    ^S
                                                     |v    \------------------/    ^P
                                                     |v                            ^|
                                                     |v>>>>>>>>>>>>>>>>>>>>>>>>>>>>^|
                                                     \--------------RESP------------/


_________________
// d4h0od
Back to top
View user's profile Send private message
ethzural
n00b
n00b


Joined: 11 May 2006
Posts: 1

PostPosted: Thu May 18, 2006 7:12 am    Post subject: bridging Reply with quote

hi guys, before i start on my openvpn, i suppose i need to setup the bridge between eth0 and tap0 first?
however, i had include the bridge(built-in) and tun/tap(module) in the kernel, yet, the /dev/net/tun keep on dissapear each time i reboot the server. so, how am i going to create tap0?
Back to top
View user's profile Send private message
b1f30
Apprentice
Apprentice


Joined: 16 Nov 2005
Posts: 262
Location: USA

PostPosted: Fri Jun 16, 2006 1:09 am    Post subject: Re: DNS lookup for OpenVPN client (Linux only) Reply with quote

cchee wrote:
For those who has Linux as their OpenVPN client, if they want to have the DNS lookup working properly, they will need to add the following into their Linux client configuration (using the above example environment):
Code:
up /etc/openvpn/client/client.up
down /etc/openvpn/client/client.down

where client.up is a shell script with the following content:
Code:
sed -i \
-e '1,1 i nameserver 10.2.0.1' \
-e '1,1 i nameserver 10.2.0.2' \
-e '1,1 i search homenetwork.local.' /etc/resolv.conf
and client.down is another shell script with the following content:
Code:
sed -i \
-e '/nameserver 10.2.0/d'
-e '/search homenetwork.local/d' /etc/resolv.conf

Make sure you have
Code:
chmod 755 client.up client.down
And have these scripts under the same directory as the configuration file. Note: Absolute path is needed for client.up in OpenVPN configuration file in order for the up command to work. At least that is the case for my environment.


I'm trying to get the 'up' and 'down' scripts to work, and I've placed the following two lines in my /etc/openvpn/openvpn.conf:

up /etc/openvpn/client.up
down /etc/openvpn/client.down

chmod'ed the scripts with 755, and openvpn starts up just fine. It adds the nameserver info to /etc/resolv.conf, but when I bring openvpn down, the two new entries still remain in /etc/resolv.conf leaving me to manually edit every time I bring it down. Absolute paths are fine, permissions are set - what the heck am I doing wrong here?

:evil:
_________________
H T T P : / / W W W . B I N A R Y F R E E D O M . I N F O /
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6835
Location: Blighty

PostPosted: Fri Jun 16, 2006 8:27 am    Post subject: Reply with quote

You could always use the p.masked openvpn beta and use it's supplied up and down scripts.
You may also want to emerge resolvconf-gentoo and baselayout-1.12.1 for really good support too :)
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
julmust
n00b
n00b


Joined: 13 Oct 2002
Posts: 57
Location: Landskrona, Sweden

PostPosted: Mon Jul 03, 2006 11:39 pm    Post subject: Can't reach remote subnet Reply with quote

I can't figure out how to enable the clients to reach the entire remote subnet, my setup is this:

OpenVPN running on a server (192.168.0.200) behind firewall.
Client is WinXP.

192.168.0.0/24 - remote subnet
192.168.100.0/24 - virtual subnet
192.168.1.0/24 - client subnet

serverconf (basically set up as in this how to):
Code:

port 1194
dev tap

tls-server

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh1024.pem
tls-auth /etc/openvpn/server/static.key  0

duplicate-cn
mode server

ifconfig 192.168.100.100 255.255.255.0
ifconfig-pool 192.168.100.101 192.168.100.105 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "route-gateway 192.168.100.100"

mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"

push "route 192.168.0.0 255.255.255.0 192.168.100.100"
push "route 192.168.100.0 255.255.255.0 192.168.100.100"

comp-lzo


client config:
Code:

port 1194 # or any other port you want to use
dev tap
remote remote-address #is external IP of the OpenVPN server

tls-client
ca ca.crt
cert client.crt
key client-key.txt
tls-auth static-key.txt 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull

comp-lzo
verb 4


After starting the server the client gets an IP (192.168.100.101), so that seems to be fine. The client can ping the virtual VPN server address 192.168.100.100 and vice versa. From the client I can also reach 192.168.0.200, which is eth0 on the VPN server. Now I want to be able to reach the other clients in the subnet. Been scratching my head all day long about this issue. I guess i need to somehow route traffic from tap0 to eth0 or similar. This is where i need som help..

Output on server side:
Code:

PC01_server ~ # route -N
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 tap0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
PC01_server ~ # cat /proc/sys/net/ipv4/ip_forward
1


On client side:
Code:

c:\>route PRINT
....
192.168.0.0   255.255.255.0  192.168.100.100  192.168.100.101


This would mean all traffic to 192.168.0.0/24 would go to gateway 192.168.100.100 via the 192.168.100.101-adapter, right?
As I read in the troubleshooting section of this howto the other option would be to use an ethernet bridge, this i have not tried, and it seems as if that wouldn't be necessary?

I'm probably overlooking something vital so it would be really great if someone could point me in the right direction!
_________________
hm.. help me.
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6835
Location: Blighty

PostPosted: Tue Jul 04, 2006 8:42 am    Post subject: Reply with quote

Have you enabled ip forwarding on the server?
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
julmust
n00b
n00b


Joined: 13 Oct 2002
Posts: 57
Location: Landskrona, Sweden

PostPosted: Tue Jul 04, 2006 8:57 am    Post subject: Reply with quote

I have, and it's enabled in the kernel, iv'e loaded the ip_tables module as well. Do I have to do anything with iptables?
I've tried various combinations without success.
_________________
hm.. help me.
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6835
Location: Blighty

PostPosted: Tue Jul 04, 2006 10:17 am    Post subject: Reply with quote

I've had this problem before, but I cannot remember what exactly I did to fix it.
As you can ping the remote server ip on the remote subnet but not anything else on the subnet then it's simply a routing/forwarding/iptables issue on the server.

One thing I could suggest is that you try the firewall init script I have here
http://dev.gentoo.org/~uberlord/firewall

and configure /etc/conf.d/firewall to read
Code:

LOCAL_IPV4="192.168.0.0/24 192.168.100.0/24"
FORWARD_INTERFACES=( "tap0 eth0" )


If it works, then configure it for the ports you want to open, close and you're set to go. Otherwise, post your problem in a new thread as it's no longer an openvpn issue.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
julmust
n00b
n00b


Joined: 13 Oct 2002
Posts: 57
Location: Landskrona, Sweden

PostPosted: Tue Jul 04, 2006 3:45 pm    Post subject: Reply with quote

What is the recommended way to set the open ports in your firewall script? Since I for the moment only has got ssh access I want to make sure that ssh and other ports are open before I try it..
_________________
hm.. help me.
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6835
Location: Blighty

PostPosted: Tue Jul 04, 2006 4:33 pm    Post subject: Reply with quote

PORTS_IN="ssh"

or just on the defined local IP's

LOCAL_PORTS_IN="ssh"

Add either numerics, numeric ranges (100:110) or names in /etc/services
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Fri Jul 28, 2006 3:18 pm    Post subject: Reply with quote

julmust,

Your gateway/router on your server subnet need to add a rule to tell the rest of the machines (on the same subnet as your server) which "vpn gateway" to use for VPN traffic.

In your case:
Code:
192.168.0.0/24 - remote subnet
192.168.100.0/24 - virtual subnet
192.168.1.0/24 - client subnet


You will need to have the router on your remote subnet (192.168.0.0/24) to add a rule to tell the rest of the machines on your remote subnet how to route the VPN traffic from/to your virtual subnet (192.168.100.0/24) via your VPN server (192.168.0.200) to your client (192.168.100.101).

And as UberLord mentioned, you need to make sure you have ip_forwarding enabled in your VPN server to make it works.
Back to top
View user's profile Send private message
mmx87
n00b
n00b


Joined: 30 Mar 2006
Posts: 7

PostPosted: Thu Sep 21, 2006 6:36 pm    Post subject: Reply with quote

Great tutorial...although you forget to note where easyrsa is located when you use the official portage ebuild of openvpn. Easyrsa is located in /usr/share/openvpn/easyrsa. Also, the openvpn init script from the ebuild has changed as well and the configuration file is expected to be found at /etc/openvpn/openvpn.conf. Just letting everyone know of a few hurdles I had to overcome to get openvpn working.
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Tue Oct 03, 2006 3:44 am    Post subject: Reply with quote

Just a fyi, there is a port to PocketPC underway for OpenVPN. I will update the mini-howto to include PocketPC setup later once I give it a try... :) For those who can't wait, you can check it out here:

http://www.ziggurat29.com/OVPNPPCAlpha/OVPNPPCAlpha.htm
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Sat Oct 07, 2006 6:08 am    Post subject: Reply with quote

Hello

I'm having trouble with my OpenVPN configuration, but only when trying to connect from WAN to local network. I also have a DMZ network (wireless) that I'm able to connect to just fine with VPN. I keep receiving the following error on the server when trying to connect on the WAN:

Code:
Oct  6 23:50:52 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS: new session incoming connection from xxx.xxx.xxx.xxx:50264
Oct  6 23:51:04 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct  6 23:51:04 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS Error: TLS handshake failed
Oct  6 23:51:04 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 SIGUSR1[soft,tls-error] received, client-instance restarting
Oct  6 23:51:05 comp openvpn[8844]: MULTI: multi_create_instance called
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Re-using SSL/TLS context
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 LZO compression initialized
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Local Options hash (VER=V4): '360696c5'
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Expected Remote Options hash (VER=V4): '13a273ba'
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS: Initial packet from xxx.xxx.xxx.xxx:50264, sid=dcb36b41 f3607908



This is the error on the client (Windows XP using OpenVPNGUI)

Code:
Fri Oct 06 23:50:58 2006 us=685483 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 06 23:50:58 2006 us=685538 TLS Error: TLS handshake failed
Fri Oct 06 23:50:58 2006 us=686068 TCP/UDP: Closing socket
Fri Oct 06 23:50:58 2006 us=686483 SIGUSR1[soft,tls-error] received, process restarting
Fri Oct 06 23:50:58 2006 us=686515 Restart pause, 2 second(s)
Fri Oct 06 23:51:00 2006 us=686483 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 06 23:51:00 2006 us=690118 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file
Fri Oct 06 23:51:00 2006 us=690177 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 06 23:51:00 2006 us=690260 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 06 23:51:00 2006 us=690410 LZO compression initialized
Fri Oct 06 23:51:00 2006 us=690567 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Oct 06 23:51:00 2006 us=693216 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Oct 06 23:51:00 2006 us=693299 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Oct 06 23:51:00 2006 us=693329 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Oct 06 23:51:00 2006 us=693390 Local Options hash (VER=V4): '13a273ba'
Fri Oct 06 23:51:00 2006 us=693426 Expected Remote Options hash (VER=V4): '360696c5'
Fri Oct 06 23:51:00 2006 us=693481 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Oct 06 23:51:00 2006 us=693535 UDPv4 link local (bound): [undef]:800
Fri Oct 06 23:51:00 2006 us=693568 UDPv4 link remote: xxx.xxx.xxx.xxx:800


Now, as I said, when I connect while on the DMZ (172.16.0.0/24) network, everything works fine. My internal network is (10.0.0.0/26). It seems like this might be a NAT or routing issue.. possibly the client is not receiving response. There are no blocks showing in the /var/log/messages, and it should be if it's not allowed. That's why I keep thinking it's a route problem.

Here is my route table on the firewall/vpn server
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        *               255.255.255.192 U     0      0        0 eth0
172.16.0.0      *               255.255.255.0   U     0      0        0 eth2
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
10.1.0.0        *               255.255.255.0   U     0      0        0 tap0
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1


eth1 is connected directly to Cisco 800 series DSL modem, eth0 is my internal network and eth2 is my DMZ network.

I'm running my OpenVPN on a non-standard port UDP/800. Here are some interesting pieces of my iptables script

Code:
$IPT -A INPUT -p udp --dport 800 -d $NATIP -j ACCEPT
$IPT -A OUTPUT -p udp --dport 800 -o eth1 -s 192.168.0.3 -j ACCEPT
$IPT -A OUTPUT -p udp -s 192.168.0.3 --sport 800 -j ACCEPT
$IPT -A INPUT -i tap0 -j ACCEPT
$IPT -A FORWARD -i tap0 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE


Any help to get this working is greatly appreciated!

thanks
hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3, 4, 5  Next
Page 4 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum